Ransomware Attacks Targeting Unpatched Systems

News about ransomware gangs exploiting unpatched systems.

Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp

Hackerangriff treibt Serviettenhersteller Fasana in die Insolvenz

Die Serviettenfabrik Fasana ist Opfer eines Cyberangriffs.Fasana GmbH Wie der Westdeutsche Rundfunk (WDR) berichtet, wurde der Serviettenhersteller Fasana Ende Mai von einer Cyberattacke getroffen. Dem Bericht zufolge konnten die Mitarbeiter weder Rechnungen schreiben, noch neue Aufträge bearbeiten. Die Produktion und Auslieferung sei so stark eingeschränkt gewesen, dass es teilweise zu einem kompletten Stillstand gekommen sei. Laut dem Kölner Stadtanzeiger waren jedoch nicht nur die Produktionsabläufe von dem Angriff betroffen, sondern auch die Gehaltsauszahlungen für die rund 240 Mitarbeitenden. Dem WDR-Bericht zufolge war bei dem Angriff eine Ransomware mit Erpresserschreiben im Spiel. Bei den Tätern soll es sich um eine bekannte Ransomware-Gruppe handeln, deren Name allerdings nicht genannt wird. Insgesamt rechnet Fasana mit einem Schaden in Millionenhöhe. Nach Angaben des WDR hat das Unternehmen jetzt sogar Insolvenz anmelden müssen. Dennoch gibt es einen kleinen Lichtblick: Die Firma hat laut dem Regionalen Sender den Betrieb wieder aufgenommen. „Vergangene Woche gab es erste Auslieferungen. Seit Mittwoch können die Mitarbeitenden außerdem wieder Rechnungen schreiben“, heißt es.

Fog ransomware gang abuses employee monitoring tool in unusual multi-stage attack

Fog ransomware hackers, known for targeting US educational institutions, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption. While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a behavior they found “highly unusual” in a ransomware attack chain. Reflecting on the shift in Fog’s tactics, Bugcrowd’s CISO, Trey Ford, said, “We should expect the use of ordinary and legitimate corporate software as the norm—we refer to this as “living off the land”. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when ‘allowable’ software gets the job done for them?“ While Symantec couldn’t identify the initial infection vector used in the attack, Fog ransomware actors have used critical vulnerabilities in the past, like the CVSS 9.8-rated Veeam Backup and Replication flaw, allowing remote code execution, to gain unauthorized access. Additionally, hackers’ unusual effort to maintain persistence long after encryption suggested a deeper, possibly ulterior, motive. Syteca was likely used as a stealer Researchers found attackers using Stowaway, the open-source proxy tool designed for secure communication between internal and external networks, to deliver the Syteca executable. It is not known how the attackers used the Syteca tool during the intrusion, which was distributed as files under names like “sytecaclient.exe” and “udpate.exe.” Still, the adversarial potential of an employee monitoring tool with screen recording and keystroke logging capabilities isn’t too hard to guess. Several libraries are loaded by this executable, suggesting it was possibly used for information stealing or spying, researchers added. “The real danger in this case isn’t the ransom note — it’s how Fog turns a simple screen-recorder into a hidden camera,” said Akhil Mittal, senior manager at Black Duck. “Software is an essential driver of growth and innovation for every company; however, business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot.” Security teams should keep a live map of where every monitoring app is allowed to run and flag it the moment one pops up somewhere odd, Mittal added. Open-source pen testers for executing commands Another peculiarity observed in the attack was the use of open-source penetration testing tools, like GC2 and Adaptix C2, rarely seen with ransomware attacks. Google Command and Control (GC2) is an open-source post-exploitation tool that allows attackers to control compromised systems using legitimate cloud services like Google Sheets and Google Drive as their command-and-control (C2) infrastructure. The GC2 implant alone, potentially, allowed attackers to run discovery commands, transfer files, and load shellcode, hinting at deeper intelligence-gathering objectives. “The use of expected productivity platforms (e.g., Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit,” Ford added. GC2 has been used previously in attacks attributed to the APT41 Chinese threat group. Adaptix C2, a post-exploitation pen-tester similar to the Cobalt Strike beacon, was also seen in the Fog attack. Persistence after encryption raises red flags Unlike typical ransomware actors that exit post-encryption, the Fog group was seen establishing persistence even days after deploying the ransomware—a move more common in espionage operations. Using a service dubbed “SecurityHealthIron,” likely tied to launching command-and-control utilities, the attackers ensured ongoing access.“The attackers establishing persistence on a victim network having deployed the ransomware is also not something we would typically see in a ransomware attack,” researchers said. “These factors mean it could be possible that this company may in fact have been targeted for espionage purposes.” Coupled with lateral movement via PsExec and SMBExec, use of file transfer tools like MegaSync and 7-Zip for exfiltration, and stealthy cleanup of Syteca artifacts, the operation looked more like a planned, multi-stage intrusion than a quick ransomware grab.

Threat Actor Abuses TeamFiltration for Entra ID Account Takeovers

Proofpoint researchers discovered a large-scale campaign using the open source penetration-testing framework that has targeted more than 80,000 Microsoft accounts.

Disclaimer: Blockes News is an AI-powered aggregator that summarizes content from original news outlets. All rights and ownership of the articles and media belong to their respective sources. We do not create or alter the news — we simply highlight and link to the original stories for your convenience and awareness. Always refer to the original source for full details. We only display content provided in the summary section of RSS feeds. If you are a content owner and wish to have your material removed, please contact us.

Please let us know if you find this helpful